Microsoft Virtual Machine Has Real Problem

Having Java applets running on Windows could allow an attacker to hijack
your system.

Microsoft released an advisory Wednesday night warning of three new flaws
affecting Windows users, the most serious of which could allow an attacker
to gain complete control of a user's system.

The flaws, two of which the company says are critical, occur in Microsoft's
Virtual Machine, a program which implements the Java language on Windows
platforms. The Microsoft VM is shipped in most versions of Windows, as well
as in most versions of Internet Explorer.

According to the bulletin, the attack vectors for all three vulnerabilities
would likely be the same, with an attacker creating a web page that, when
opened, exploits the desired flaw.

The attacker would have to lure the victim to that specific page to exploit
the vulnerability, or could contain it within an HTML email. Microsoft
notes, however, that those using email clients, such as Outlook 2002,
Outlook Express 6, cannot, by default, run applets in email.

The first two vulnerabilities both involves the Java Database Connectivity
classes, which provide features that allow Java applications to connect to
and use data from a wide variety of data sources, ranging from flat files to
SQL Server databases.

The first vulnerability, which Microsoft has deemed a critical risk, results
from a flaw in the way the classes process a certain type of request.
Although the classes do perform checks that are designed to ensure that only
authorized applets can levy these requests, it's possible to spoof the
check, enabling an attacker to load and execute any DLL on the
user's system, which could be used by the attacker to perform any operation
that the user could.

Microsoft believes that the second vulnerability, which occurs because
certain functions don't correctly validate handles, would only cause
Internet Explorer to fail. The company notes, however, that there is at
least a theoretical possibility that the flaw could also enable an attacker
to provide data that would have the effect of running code in the security
context of the user.

VM's final vulnerability, another that has earned a critical rating,
involves a class that provides support for the use of XML by Java
applications. This vulnerability occurs because the class does not
differentiate correctly between methods suitable for use by any applet and
those only suitable for use by trusted ones. Microsoft admits that among the
functions that could be misused through this vulnerability are ones that
would enable an applet to take virtually any desired action on the user's
system.

Microsoft could not be reached for comment this morning, but has issued a
patch for all three vulnerabilities, which is available by visiting the
company's Window's
Update site.